Android app swipes contactless credit card details

Got a credit card equipped with a contactless payment chip? Then watch out next time someone bumps into you in the street - they may have just mugged you with an app.

Contactless cards use near field communications (NFC) chips to exchange your payment details with a merchant's till, and some smartphones also come equipped with NFC chips to let you use them as a wallet. Now security researcher Thomas Skora has written an app that turns any NFC phone into a reader and successfully read card numbers, expiry dates, transactions and merchant IDs from German credit cards.

Let me get this straight. They've given the cards the ability to wirelessly broadcast sensitive data to anyone? And now they're surprised that the card wirelessly broadcasts sensitive data to anyone?

If that's what they've done, then what's the purpose of making this card? Why not just tell people to put all their money in a bowl and extend it to every stranger they see?

If I may quote Albert Einstein. One thought sometimes makes me hazy: Am I or are the others crazy?

Brion Swanson
on June 25, 2012 1:10 PM

There is a critical distinction this article is confusing. The NFC (Near Field Communication) chip is in the device (phone) of the attacker only. The victims have RFID-enabled credit cards such as MasterCard's PayPass, Visa's PayWave, and American Express' Blue credit cards with RFID chips embedded within them.

The primary difference between RFID and NFC is that RFID is passively activated with an electric field (which the NFC-enabled phone can generate), while the NFC chip is typically actively activated meaning the user of the device must perform some sort of interaction in order to allow any data to be transferred. The precludes NFC devices from being the target of a passive attack unlike RFID.

In addition, my real world experience is that casually brushing against someone with an NFC device to connect with another NFC device would be incredibly difficult because the antennas of both devices have to practically be touching for the connection to even exist - something that's highly unlikely to happen from a casual brush. RFID on the other hand is another matter. Those RFID-enabled cards are inherently insecure. They are so much so that Adam Pascal of Mythbusters was banned from doing an episode on the cards by the companies that have a huge stake in the technology (Visa, MC, and AmEx).